fix: exclude transitive devDependencies from Yarn Berry SBOM using BFS reachability

soul2zimate · claude · soul2zimate · commit 226279c88c2c · 2026-04-07T09:40:35.000+08:00
The previous implementation only filtered devDependencies at the root edge,
but still processed all non-root nodes unconditionally. This meant transitive
dependencies of devDeps (e.g., jest -&gt; some-test-util) would leak into the SBOM.

Uses BFS from root production deps to compute the reachable set, then skips
unreachable nodes and edges during SBOM emission. Also adds a test fixture
with a transitive devDep to expose the issue.

Co-Authored-By: Claude Sonnet 4 &lt;noreply@anthropic.com&gt;
diff --git a/src/main/java/io/github/guacsec/trustifyda/providers/YarnBerryProcessor.java b/src/main/java/io/github/guacsec/trustifyda/providers/YarnBerryProcessor.java
@@ -23,6 +23,9 @@
 import io.github.guacsec.trustifyda.sbom.Sbom;
 import io.github.guacsec.trustifyda.tools.Operations;
 import java.nio.file.Path;
+import java.util.ArrayDeque;
+import java.util.HashMap;
+import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
 import java.util.TreeMap;
@@ -109,32 +112,93 @@ void addDependenciesToSbom(Sbom sbom, JsonNode depTree) {
     if (depTree == null) {
       return;
     }
+
+    Map<String, JsonNode> nodeIndex = new HashMap<>();
+    depTree.forEach(n -> nodeIndex.put(n.get("value").asText(), n));
+
     Set<String> prodDeps = manifest.dependencies;
+    Set<String> reachable = new HashSet<>();
+    var queue = new ArrayDeque<String>();
+
+    for (JsonNode n : depTree) {
+      var depName = n.get("value").asText();
+      if (isRoot(depName)) {
+        var deps = (ArrayNode) n.get("children").get("Dependencies");
+        if (deps != null) {
+          for (JsonNode d : deps) {
+            var locator = d.get("locator").asText();
+            var target = purlFromlocator(locator);
+            if (target != null) {
+              var fullName = purlToFullName(target);
+              if (prodDeps.contains(fullName)) {
+                queue.add(locator);
+              }
+            }
+          }
+        }
+        break;
+      }
+    }
+
+    Set<String> reachableNodeValues = new HashSet<>();
+    while (!queue.isEmpty()) {
+      var locator = queue.poll();
+      if (reachable.contains(locator)) {
+        continue;
+      }
+      reachable.add(locator);
+
+      var nodeValue = nodeValueFromLocator(locator);
+      reachableNodeValues.add(nodeValue);
+
+      var node = nodeIndex.get(nodeValue);
+      if (node != null) {
+        var deps = (ArrayNode) node.get("children").get("Dependencies");
+        if (deps != null) {
+          for (JsonNode d : deps) {
+            var childLocator = d.get("locator").asText();
+            if (!reachable.contains(childLocator)) {
+              queue.add(childLocator);
+            }
+          }
+        }
+      }
+    }
+
     depTree.forEach(
         n -> {
           var depName = n.get("value").asText();
           var isRootNode = isRoot(depName);
+          if (!isRootNode && !reachableNodeValues.contains(depName)) {
+            return;
+          }
+
           var from = isRootNode ? sbom.getRoot() : purlFromNode(depName, n);
           var deps = (ArrayNode) n.get("children").get("Dependencies");
           if (deps != null && !deps.isEmpty()) {
             deps.forEach(
                 d -> {
-                  var target = purlFromlocator(d.get("locator").asText());
+                  var locator = d.get("locator").asText();
+                  if (!reachable.contains(locator)) {
+                    return;
+                  }
+                  var target = purlFromlocator(locator);
                   if (target != null) {
-                    // For root node, only include production dependencies
-                    if (isRootNode) {
-                      var fullName = purlToFullName(target);
-                      if (!prodDeps.contains(fullName)) {
-                        return;
-                      }
-                    }
                     sbom.addDependency(from, target, null);
                   }
                 });
           }
         });
   }
 
+  private String nodeValueFromLocator(String locator) {
+    var matcher = VIRTUAL_LOCATOR_PATTERN.matcher(locator);
+    if (matcher.matches()) {
+      return matcher.group(1) + "@npm:" + matcher.group(2);
+    }
+    return locator;
+  }
+
   private static String purlToFullName(PackageURL purl) {
     return purl.getNamespace() != null
         ? purl.getNamespace() + "/" + purl.getName()
diff --git a/src/test/resources/tst_manifests/yarn-berry/deps_with_mixed_dep_types/yarn-berry-ls-stack.json b/src/test/resources/tst_manifests/yarn-berry/deps_with_mixed_dep_types/yarn-berry-ls-stack.json
@@ -3,6 +3,7 @@
 {"value":"eslint@npm:7.0.0","children":{"Version":"7.0.0"}}
 {"value":"express@npm:4.17.1","children":{"Version":"4.17.1","Dependencies":[{"descriptor":"body-parser@npm:1.19.0","locator":"body-parser@npm:1.19.0"}]}}
 {"value":"follow-redirects@npm:1.5.10","children":{"Version":"1.5.10"}}
-{"value":"jest@npm:26.0.0","children":{"Version":"26.0.0"}}
+{"value":"jest@npm:26.0.0","children":{"Version":"26.0.0","Dependencies":[{"descriptor":"some-test-util@npm:1.0.0","locator":"some-test-util@npm:1.0.0"}]}}
+{"value":"some-test-util@npm:1.0.0","children":{"Version":"1.0.0"}}
 {"value":"lodash@npm:4.17.19","children":{"Version":"4.17.19"}}
 {"value":"mixed-deps-test@workspace:.","children":{"Version":"1.0.0","Dependencies":[{"descriptor":"axios@npm:0.19.0","locator":"axios@npm:0.19.0"},{"descriptor":"eslint@npm:7.0.0","locator":"eslint@npm:7.0.0"},{"descriptor":"express@npm:4.17.1","locator":"express@npm:4.17.1"},{"descriptor":"jest@npm:26.0.0","locator":"jest@npm:26.0.0"},{"descriptor":"lodash@npm:4.17.19","locator":"lodash@npm:4.17.19"}]}}
